Submissions on behalf of solicitors and the Law Society of Scotland 


Data sharing is an issue that some solicitors have been struggling with following the 
introduction of the GDPR, despite the reality in law that not much has changed in 
terms of what is lawful. What can be more challenging for solicitors is complying with 
the transparency obligation. Individuals are also more inclined to challenge 
processing activities in general, including the processing carried out by solicitors. 


Finally, there is still some doubt about the status of a solicitor as a data controller 
since the terms that define a data processor are very similar to the role that solicitors 
carry out for the clients. Particularly that a processor can act only on the instructions 
of aclient. The Law Society of Scotland are of the view that it would be beneficial for 
the ICO to provide guidance on data sharing which is more helpful to solicitor’s firms, 
as opposed to the generic draft guidance which has a very clear focus on data 
sharing within the public sector. We have provided some examples that could 
perhaps be considered for inclusion in the guidance. 


We appreciate that the ICO’s role is not to provide guidance for all sectors, which is 
why the Law Society of Scotland are working on our own guidance in relation to data 
sharing. We would hope that this is a document that the ICO could feed into. 


The Guidance 


In our view, the guidance fails to distinguish adequately between sharing data with 
another data controller/joint controller and sharing with a data processor. It would 
assist here to refer to some typical examples, including those involving professional 
advisers. This should be clearly stated at the start of the guidance and not buried 
within. As stated above, the distinction is still widely misunderstood. 


It would also be helpful if the exemptions and the restrictions set out in schedule 2 of 
the DPA 2018 were at least mentioned in this guidance. These are often missed and 
misunderstood by organisations and the current ICO guidance under the GDPR 
pages of its website simply reiterate the legislation with little additional guidance. We 
feel that this is a missed opportunity to provide some other examples. 


The term ‘data sharing’ can be seen as a technical term when it actually applies to 
passing data from one party to another and is simply another processing activity 
which must comply with the principles. When described like this our view is that it is 
more straightforward to recognise what needs to be done. 


Solicitors share data all the time in order to provide legal advice but we are not 
confident that they would consider this Guidance as relevant to this processing 
activity. 


Examples 


Legal basis for data sharing 


We are aware of one issue which was investigated by the ICO following a complaint. 
The matter involved a matrimonial dispute and pension sharing. Financial 
information was sent from the husband’s solicitors to the wife’s solicitors and as is 
normal practice this was forwarded to the wife’s financial adviser and then to the 
pension provider. Unfortunately, the pension provider did something unexpected and 
incorrect and the wife’s solicitors were blamed by the husband for sharing the data in 
the first place. 


When the ICO got involved there was a lack of understanding on both sides — the 
solicitors not understanding what the ICO were asking for, and the ICO not 
understanding the standard legal processes and the restrictions placed on solicitors 
by their professional obligations. The ICO was distracted by a claim made by the 
solicitors that they were data processors and missed the legal basis which had been 
suggested by the solicitors in earlier correspondence. Albeit, this had been 
suggested to the ICO amongst other suggestions in a rather scatter gun approach. 
The final view of the ICO on reviewing the initial decision was to agree that there was 
a lawful basis for the data sharing. 


Sharing special category data with experts, courts and the other side 


Solicitors will often make subject access requests on behalf of clients. Commonly 
these requests are made to their general practitioners asking for a copy of their 
client's medical records, along with a mandate. 


We are aware of cases where medical records are supplied in their entirety to 
solicitors, when they have only requested certain information. Guidance on what to 
do and where responsibility lies here would be helpful. We are also aware of 
solicitors who request the entire medical record when that is not required for their 
advice to be provided. 


What can sometimes be confusing is who has responsibility if these records are then 
shared further. For example, if the solicitor shares the records with an expert, or the 
court or the solicitors on the other side, then the solicitor may be breaching the data 
protection principles as they have a duty to consider them as a separate controller. It 
needs to be clear that the GP is not responsible if further processing (sharing) takes 
place. We are also aware of instances where medical records containing information 
about a different patient have been disclosed to solicitors, and then further disclosed. 
Again, it should be made clear that the solicitor is responsible for ensuring that the 
data is shared in compliance with the principles. 


Data in the public domain 


The fact that something is in the public domain, for example it has been referred to in open 
court, does not mean that it can be shared without taking into account the data protection 
principles. Third parties, such as other solicitors or insurance companies, regularly request 
access to material containing personal data that has been referred to in a criminal case, for 
use in a civil case. 


The solicitors firm is the data controller. Therefore ,to share the data you must comply with 
the data protection principles, unless the exemption applies. 


The exemption 


Paragraph 5(3), part 1 of Schedule 2 of the DPA 2018 allows you to share data in 
certain circumstances. This should not be relied on routinely, but only exceptionally 
and on a Case by case basis. 


You can share personal data where necessary’ for: 


(a) the purpose of, or in connection with, legal proceedings (including prospective 
legal proceedings); 

(b) the purpose of obtaining legal advice; or 

(c) for the purpose of establishing, exercising or defending legal rights. 


If you are sharing data for one of these reasons, you do not require to comply the data 
protection principles to the extent that doing so would stop you sharing the data. 


You are exempt from the requirement for the sharing to be fair and transparent but you 
must always have a legal basis for sharing the data, including a second legal basis for 
any special category or criminal offence data. 


It is up to the data controller (the solicitor’s firm) to decide if the exemption can be 
applied. It is recommended that the decision making process is documented. 


So in brief: 


1. It must be necessary to share the personal data in order to achieve provide the 
legal advice etc. 

2. A legal basis (or bases for sharing the data/special category or criminal offence 
data) has been identified. 

3. | Complying with the data protection principles, would prevent us from sharing the 
data. 


In all cases you must have a legal basis to share the personal data. If it special category 
data i.e. medical records, or anything revealing a criminal conviction, then you must also be 
able to point to an exception from Article 9 of the GDPR or schedule 1 of the DPA 2018 
respectively. 


It is likely that the third party will have a legitimate business interest in obtaining the data. 
You must then consider any unwarranted or prejudicial impact on the data subject and if this 
outweighs the interests of the third party, then legitimate interests cannot be relied upon. 
(Article 6(1)(f)). 


1 If legal advice could reasonably be provided by processing less data, or using data in a less intrusive way, this 
will not apply. 


If the material contains medical information then you may be satisfied that sharing the data is 
necessary for the establishment, exercise or defence of legal claims. (Article 9(2)(f)). 


If the material contains criminal offence data then you may be satisfied that sharing the data 
is necessary for the purpose of, or in connection with, legal proceedings (including 
prospective legal proceedings); the purpose of obtaining legal advice; or for the purpose of 
establishing, exercising or defending legal rights. 


To decide if you have a legal basis, you must know what the third party intends to do with 
the material and the impact that may have on those data subjects. 


If the exemption does not apply, then you need to consider if the data subjects were aware 
that their data might be shared or would they reasonably expect it to be shared? 


